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ABSTRACT 



A security shield implementation method comprisiog com- 
puter software for use with a computer system's software 
which is transparent to the user of the computer system 
software and utilizes the steps of system call interception 
and interactive command interception to control access by a 
user of the computer system software. The system call 
interception for non-interactive commands, file access, 
programs, networks, and the interactive commands, such as 
access to interactive programs, are routed and examined by 
redirector software. Security rule checks and log event 
functions are then conducted on the non-interactive 
commands, 6te access requests, programs, networks, and the 
interactive commands. If a non-interactive command, file 
access request, program, network, or an interactive com- 
mand is approved, the command request is then forwarded 
to the computer operating system. 

18 Claims, 4 Drawing Sheets 
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METHOD FOR SECURITY SHIELD 
IMPLEMENTATION IN COMPUTER 
SYSTEM'S SOFTWARE 

BACKGROUND OF THE INVENTION 

1. Field of InvenlioD 

This invention relates to security systems and methods for 
computer system software, and more particularly to security 
shields for computer system's software and methods for 
implementing such security shields. 

2. Description of the Related Art 

The present invention provides a software technology and 
methodology to implement security shields and enhance 
security capabilities for open systems such as UNIX and NT. 
Disclosed are software event interception methods for 
implementing security access control and security monitor- 
ing that is non-circumventable and does not require modi- 
fication of the operating system (OS) and system commands, 
and which is transparent to the user. The disclosure also 
describes a unique security language to implement simple 
but configurable Global Default Protection that is easily 
implemented on networked systems with significantly 
reduced administration and costs. 

Heretofore, various security sysienis for computer system 
software have been proposed and implemented. However, 
sectmty systems and methods have been limited by signifi- 
cant drawbacks. It is generally agreed in the computer 
industry that ±e challenge to computer security lies in both 
a lack of functional capabilities and in the inability to fiilly 
implement the security solutions and methods. A partially 
implemented security plan is as weak as the weakest point 
in the entire security system. 

Some security systems are provided with point solutions 
for specific security problems, however, these solutions 
typically do not have a full set of features and functionality. 
For example, authentication is only one component of 
security, and for a security system to be complete it should 
be accompanied by granular authorization, policy 
management, and full monitoring and audit reporting. 

Other current software security products arc ported from 
other operating system environments or merged together 
through acquisition. For example, though such approaches 
to security used in mainframe computers are very eflfective, 
using the same approach in a UNIX client/server environ- 
ment requires addressing issues that are specific to UNIX. 
By porting security products to UNIX, vendors frequently 
attempt to implement capabilities that are incomplete for the 
new operating systems environment. In addition, by com- 
bining various products and attempting to integrate them, 
vendors arc faced with complex architectural differences. 
Frequently, these differences leave the system vuhierable 
due to lack of integration, limited administrative 
capabilities, or inadequate security. 

Still other approaches use methodologies that arc simply 
too complex to be fully implemented or too costly to 
manage. TTiesc solutions, by necessity, must be complicated 
in order to secure and protect all distributed computing 
resources. By way of comparison, the software of the 
present invention provides a methodology where the scope 
of the problem is simplified, where prior security methods 
and products apply complex solutions in an attempt to 
secure the Superuser. By definition, complexity increases the 
likelihood of operator error, and increases the inability to 
validate implemented policies against written policies, and 
with a concomitantly high administrative cost. 
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Such prior systems and methods have resulted in 
extremely high costs to users to evaluate, standardize, 
purchase, implement, administer, and upgrade. For an enter- 
prise that is seeking end-to-end integrated solutions, the total 
5 cost of ownership is a cmcial factor. Since such systems and 
methods offer limited functionality, lack integration, and are 
very complex to set up and administer, improved solutions 
and methodologies are clearly needed. Furthermore, such 
limitations often lead to poor implementation, leaving the 
system vulnerable and resulting in losses far in excess of the 
cost of the product. 

For example, Dynasoft Inc.'s, BOKS security system 
provides one level of security control, namely user authen- 
tication. BOKS does not provide resource level access 
control for file and application access. The present 
invention, however, provides two levels of security, authen- 
tication and authorization. Once a user has logged in 
(authenticated) using the present method, their access is 
verified (authorized) against the security policy so that only 

20 ihey are able to access the resources for which they have 
been given permission. This greatly minimizes the destruc- 
tive activities that an ^'authorized" user can engage in after 
they have been logged in. 

Another example is memco. Inc.'s SeOS. This method- 

25 ology is very complicated both to implement and to main- 
tain. Such complexity results primarily from the presence of 
the Superuser, and SeOS's use of access control lists (ACL) 
as the prirxripal access control mechanism. The SeOS 
method retains the user of the Superuser and then attempt to 

30 control Superuser access. ScOS protects login access from 
consoles and terminals, leaving the system vulnerable to 
attacks from other aUcmate access paths. The present 
invention, in contrast, protects access from all alternative 
access paths and eliminates Superuser access. The computer 

35 system is protected because no "backdoor"* access exists and 
no user can assume Superuser control. Moreover, SeOS's 
architecture makes it diflBcult to verify a corporate security 
policy against the SeOS implementation. This results from 
the presence of the Superuser and access control being 

40 provided at the system resource level using ACL's, a bottom 
up approach. The present invention provides a methodology 
that insures that resource protection is defined at the user 
level, a top down approach. Accordingly, using the method 
of the present invention written corporate security pohcy can 

45 be easily implemented and verified, simplifying centralized 
security administration, easily meeting audit requirements 
quickly, and is both secure and easy to manage at a lower 
cost. 

A further example of security systems and methods is 

50 Axent, Inc.'s Omniguard. The Omniguard system relies on 
system access control, security assessment, audit, 
monitoring, and root privilege delegation capabilities. 
However, OmniGuard also uses the Superuser and all of the 
abovcmcntioncd vulnerabilities and limitations exist. 

55 Furthermore, OmniGuard does not provide access control to 
files leaving data vulnerable to attack and misuse. 

Prior methods to implement security enhancements to an 
existing computer system have utilized one or a combination 
of the following approaches to implement security: 1) The 

60 development of a new more secure operating system, which 
is very expensive to both the product developers and the 
users. For example, the Secure OS from Hewlett Packard, 
Corp., which uses a government Bl security standard, which 
is a total rewrite of the OS. 2) The addition of securiiy- 

65 related services that require customized changes to the 
existing OS. Such services include system libraries, new 
system commands and system configuration files. This 
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approach alters ibe underlying OS and the interaciions wiih 
the users, it also involves customized solutions and security 
management procedures for different computer an operating 

system. 

Accordingly, the primary objects of this invention are to ^ 
provide a security shield and security methodology for 
computer system software which adds increased security to 
existing computer systems and their operating systems, and 
which is implemented without requiring changes to the 
software, cither source code or binary code of the underlying ^0 
operating system; which docs not require users to change 
their normal interaction with the computer system and the 
operating system; which is simple to implement and man- 
age; which has a small operational overhead; which has a 
uniform implementation approach for different and/or het- *5 
erogeneous systems; and which is extremely eflBcient and 
reliable. 

Additional objects and advantages of the invention will be 
set forth in the description which follows, and in pari will be 
obvious from the description, or may be learned by practice 
of the invention. The objects and advantages of the invention 
may be realized and obtained by means of the instrumen- 
tality's and combinations particularly pointed out in the 
appended claims. 

SUMMARY OF THE INVENTION 

The present invention provides a very cffident and cost 
effective method for adding security to computer software 
systems such as UNIX operating systems &om Hewlett 3Q 
Packard, Inc., IBM, Inc., Digital, inc. and Silicon Graphics, 
Inc., as well as other computer system software. The present 
invention discloses software which allows for the method- 
ology described to be implem enie d in a manner transparent 
to the users and achieved without direct modification of the 
underlying operating syste m and environment. The method 
of the present invention provides security shields which ar e 
not easily removed or modified and can therefore be relied 
upon and trusted. The present security methodology is 
comprehensive and simple to implement and manage result- ^ 
ing in significant cost advantages over all prior systems and 
methods. 

The present invention uses software methodology to place 
a security shield in front of any computer system software by 
placing controls and monitors in front of all access paths to 45 
the computer system software. The present invention utilizes 
computer software to implement a method software call 
interception technique to provide a simple yet secure method 
to place controls and monitors in access paths of computer 
system resources. The present methodology protects and so 
monitors access to resources such as files, directories, 
programs, operator commands, systems and network 
services, all without modifying the operating system or 
system binaries. The two call interception techniques pro- 
vide controls for both operating system requests, such as 55 
UNIX system calls, and interactive commands, such as 
telnet, rsh, and ftp. The present method provides a security 
methodology for open systems that is transparent to the 
users and is done without dir e ct modification to the under- 
- lying-operating-system and environmentT-while-providing* ^o' 
adequate security, which is difQcuIt to remove, and which is 
comprehensive and simple to implement and manage. 

To achieve the foregoing objects, and in accordance with 
the purpose of the invention as embodied and broadly 
described herein, a security shield implementation method 65 
for computer system software which is transparent to the 
user of the computer system software is provided compris- 
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ing the steps of system call interception and interactive 
command interception fi'ora a user of the computer system 
software. System call interception, for protection of non- 
interactive commands, file access requests, program access 
requests, networks, and the like, and interactive command 
interception for controlling access to interactive programs, 
arc routed and examined by redircctor software. Security 
rule chedcs and log event functions are then conducted on 
the non-interactive commands, file access requests, program 
access requests and the like, and 00 the interactive com- 
mands. If a non-interactive command or file access request, 
for example, or an interactive command is approved, the 
command request is then forwarded to the computer oper- 
ating system. 

TTiere is also provided, in accordance with the invention 
a method for security shield implementation in computer 
system software for protection of the computer system 
software from unauthorized access by a user, comprising: 
means for controlling access to files of the computer system 
software by redirector means for intercepting a non- 
interactive command request from a computer system user 
prior to forwarding the request to the operating system 
software, performing a rule check and a log event function 
using operating system call interception, returning a failed 
mle check request to the computer system user, and for- 
warding approved requests for continued processing to the 
operating system. Means for controlling access to interactive 
programs by redirector means for intercepting an interactive 
command from a user and returning failed mle check 
interactive commands to the user and to continue processing 
succeeded mle check interactive commands are provided. 
Then the interactive or the non -interactive commands are 
forwarded for processing by the operating system software. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings, which arc incorporated in 
and constimte a part of the specification, illustrate a pre- 
ferred embodiment of the inventioii and, together with a 
general description given above and the detailed description 
of the preferred embodiment given below, serve to explain 
the principles of the invention. 

FIG. 1 is a flow chart of the preferred methodology for 
implementing a security shield for computer system 
software, according to the invention. 

FIG. 2 is a schematic representation of the command 
interception and system call interception methodology uti- 
lized to secure computer system software, according to the 
invention. 

FIG. 3 is a schematic representation illustrating the prob- 
lem of security in UNIX/NT operating systems, according to 
the invention. 

FIG. 4 is a schematic representation of the method of the 
present where the complex security problems are simplified 
by implementing least privilege methodology, according to 
the invention. 

FIG. 5 is a schematic comparison of prior art security 
system file access protection compared with the security 
shield methodology of the present invention, according to 
the invention^^ 

- -FIG. 6 is a- schematic- comparison of prior art security 
system application (AP) program protection compared with 
the security shield methodology of the present invention, 
according to the invention. 

FIG. 7 is a diagrammatic representation of a file directory 
hierarchy of a web server for protection by the security 
shield methodology using file access control, according to 
the invention. 
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DESCRIPTION OF THE PREFERRED In FIG. 1, the securiiy shield methodology 10 for com- 

EMBODIMENTS pulcr system software of the present iaveotioD is shown 

according to a preferred embodiment of the invention. 

Reference will now be made in detail to the present Preferably means for system call interception, utilized for 

preferred embodiments of the invention as illustrated in the ^ controlling access to files, non-interactive commands, 

accompanying drawings. programs, networks, and the like, from a user of the com- 

The present invention provides an efficient, secure, user pulcr system is achieved by system call interception 12 

transparent, method for implementing a security shield for including the following sequence of steps: edit 14 (Amp/ 

any computer system software. It is provided as a fully temp), open 16 (/imp/temp), and redirea the request via 

integrated intranet security software that applies the quality redirector 18. Redirector 18 is software which intercepts 

of mainframe security to heterogeneous UNIX and Windows requests or commands from users and redireas the request 

NT systems, as well as other computer software systems. to software means for examination and rule check as 

The present methodology protects files, directories, described below. Next the request is examined by perform- 

programs, operator commands, systems, and network ing mlc chedcs and log events 20. If the rule checks for this 

services, all without modifying the operating system. It particular application arc failed 40, then the request is 

achieves this by addressing a variety of UNIX and other returned 24 by failure code to the user via open system call, 

systems operating security weaknesses, for example, the If Ihe request succeeds or passes the rule check 20 it is 

presence of the Supcruscr account. The present invention forwarded for further processing 28 of the request by the 

provides the integration of advanced security functionality operating system. 

including centralized enterprise-wide security management, Means for intercepting interactive commands such as 
authorization service for granular resource sharing and access to interactive programs, is preferably achieved using 
access control, default protection, and delegation of admin- interactive command interception 30, which controls access 
istrative privileges. The present methodology accomplishes to interactive programs of the host software and other 
this by providing a sophisticated, simple to administer interactive programs. As seen in FIG. 1, interactive corn- 
security that substantially reduces the costs associated with 25 mand interception 30 preferably comprises the steps of login 
such protection when compared to all prior systems and 32, shown, for example, using user id "eric". The command 
methods. is then routed to redirector 34 and tbc command then 

In accordance with the present invenUon, there is pro- shunted to redirect exec and to login wrapper 36. All 
vided a security shield implementation method for computer command inputs from the user to /bin/login are processed 
system software which is transparent to the user of the 30 and checked 38 according to securiiy rule checks such as 
computer system software comprising the steps of system check if user "eric" can login at this time of the day, and if 
call interception and interactive command interception of tbe input is successful at passing the rule check, the suc- 
acccss requests and commands from a user of the computer ceeded rule check command 42 then is processed to redirect 
system software. The system call interception techniques arc user input 44 to A5in/login, and the login output is redirected 
used, for example, for securing non-interactive commands, 35 ^ ^^^8 ^^^^ keystroke trace for further processing, 
file access, programs, program access requests, networks, If the rule check is failed 39, then it is returned to user 40. 
and the like; and the interactive command interception With reference now to FIG. 2, a schematic representation 
techniques are used for controlling access to interactive of the preferred method of the present invention is shown 
programs, and such requests and commands are routed and where program access is represented by concentric circles 
examined by redirector software. Security rule checks and 40 and operating system 46 is shielded by concentric rings 
log event functions are then conducted on the non- representing system call interception 12 for screening non- 
interactive commands and the interactive commands. If a interactive commands 13 and file access 15, for example, 
non-interactive command or an interactive command is and interactive command interception 30 for screening inter- 
approved the command request is then forwarded to the active commands 31. By combining both system call inter- 
computer operating system. 45 ceplion 12 and command interception 30, the present meth- 

Therc is also provided, in accordance with the invention odology provides Global Default Protection means and is an 

method for securiiy shield implementation in computer elegant and reUable means for implementing security shields 

system software for protection of the computer system ^or protection of any computer system software, 

software from unauthorized access by a user. Preferably the For example, in both UNIX and NT systems, a "Supe- 

method comprises means for controlling access to files of so ruscr" power program overrides aU other system protections, 

the computer system software by redirector means for The "Superuser" was designed to give one class of user 

intercepting a non-interactive command requests, file access absolute control over system administration activities and, in 

requests, program access request, network, and the like, large organizations, this capability is typically assigned to 

from a computer system user prior to forwarding the request many people. Supcruscrs may remove any or all access 

to the operating system software, performing a rule check 55 controls, violate security policies, view and change any file, 

and a log event function using operating system call read anyone's e-mail, and remove passwords. Security in 

interception, returning a failed rule check request to the such software systems becomes an exponentially complex 

computer system user via open system call, and forwardi ng and expensive t ask in the presence of Superuser because all 

approved requests for continued processing to the operaling resources, must be secured, monitored, and controlled 

system. Means for controlling access to interactive programs 60 against inadvertent Superuser attacks, as seen in FIG. 3. In 

by redirector means for intercepting an interactive command addition to files 48 owned by the user, shared files 50 which 

from a user and returning failed rule check interactive are not sensitive, and shared files 52 which are sensitive, 

commands to the user and to continue processing succeeded programs, operator commands, systems and network ser- 

rule check interactive commands are provided. Then, the vices are all vubcrable to Superuser threat and. therefore, 

interactive commands or the non -interactive commands, file 65 must be protected. 

access requests, programs, networks, and the like, are for- In a UNIX system, for example, all access paths to system 

warded for processing by the operating system software. resources must be addressed to completely secure the UNIX 
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system. Using the logio access to systems as an example, 
other than via the system console terminal, can be achieved 
through many paths such as tebet, rlogin, rsb« X Window 
based login. XDM login, CDE login, and HP VUE login. 
However protecting the absolute file path, Le. /a/b/temp, 
does not provide complete protection because alternative 
access through relative paths and symbolic links exist. 
Protecting against alteraative access paths is especially 
important in the context of Superuser access as described. 
The present methodology provides complete protection for 
alternative access paths to resources without modifying the 
operating system code or system commands by using both 
system call interception and command call interception as 
disclosed. 

The present methodology, in the preferred embodiment, 
reduces the complexity of the security problem of UNIX and 
^4Tby eliminating Superuscr access and implementing Least 
Privilege (granular privilege access control) methodology 
which insures that all data and resources arc available to 
personnel only on a need-to-know basis. In this manner, 
damage from mahcious attack is minimized and contained. 
Without the present methodology, the implementation of 
Least Privilege for distributed computing does not occur due 
to the presence of the Su peruser account which has all 
system privileges. 

The methodology of the present invention differentiates it 
from prior security produas and methods by its ability to 
enable simple security management by effectively utilizing 
Least Privilege techniques, Default Protection techniques, 
and Rolc-basc Access. 

The present methodology uses Least Privilege so that 
each user and each program operates using the fewest 
privileges possible, and all users access resources on a 
need-to-know basis. The preferred methodology eliminates 
Superuscr access while retaining system operations that 
require administrative privilege. The method, in effect, 
replaces the Superuscr with the Administrative Privilege 
Delegation (APD) module. This allows administrative tasks 
to be delegated to administrative user and non-secure admin- 
istrative tasks to be delegated to end-u&eis. With the Least 
Privilege, the present methodology only needs to explicitly 
protect shared, sensitive resources as shown in FIG. 4. With 
the present methodology, files 48 owned by user, and files 50 
which are not sensitive files are not explicitly protected, 
while shared files which arc sensitive 52 are protected. Such 
implementation of a Least Privilege based methodology is 
not possible without the present method due to the presence 
of the Superuscr. 

Referring now to FIG. 5, the security shield methodology 
of the present invention is shown in relation to prior file 
access protection methods. The user, in prior methods, 
requests to open 54 the file, and the request proceeds to a file 
list 55 and access rules 56 with access control lists (ACL's). 
The system call interface 57 shown is used as a filter for 
commands to operating system (OS) 46. In contrast, the 
security shield methodology of the present invention pro- 
vides file access protection in a far simpler manner, where a 
request or command for file access is directed to a file list 55. 
intercepted by system call interface 57 and directed to access 
rules 56. The request or command is intercepted and redi- 
rected via redirector and the request is then examined. If 
security is to be enforced on the file, the request or command 
is sent back to user space. If no security is to be enforced the 
request or command continues to the operating system for 
further processing. The present method accordingly uses a 
significantly smaUer footprint or memory required in the 
operating system as the access control list are stored in user 
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memory not in the operating system. This allows for pro- 
tection of a greater number of files as compared to prior 
methods and systems and is achieved without direct modi- 
fication of the operating system. 
5 Id fig. 6, a schematic comparison of security protection 
for interactive programs for prior methods and the security 
shield methodology of the present invention is shown. In 
prior methods the user 61 requests access to a program 
where the original login program has been replaced by new 

*0 login program 62 /bin/login. The security shield methodol- 
ogy 10 of the present invention is shown where for inter- 
active program access the user 61 requests or commands are 
directed to scctuity shield wrapper 64 and then if approved, 
to the original login program 68 /bin/login. 

The present methodology is also very useful for internet 
and intranet security applications. The present method pro- 
vides a file access control module by which web servers, 
data base servers. NFS and file servers can be protected. The 
file access module contains or compartmentalizes access so 
that any access using a CGI or Java script is restricted 
through the use of an access control path. For example, in 
such an application environment, where users and resource 
objects, including applications and files, such as configura- 
tion files, data bases and web pages require protection. As 
seen in FIG. 7, a file directory hierarchy of a web server is 
shown. Web application 70 is shown operably linked to Bin/ 
72 which is the direaory containing all the applications, 
such as CGI and Java scripts. Config/ 74 is the directory 
containing all the configuration files used by the applica- 
tions. Db/ 76, is the directory containing all database files 
used by the appUcations, and AVeb 78 is the directory 
containing all of the web pages. 

In addition to the file access control module described, the 
present method also allows for the implementation of a 
centralized enterprise security system in heterogeneous 
environments. The present method may be utilized in such 
applications by a phase implementation which is both cost 
effective and very reliable because of the modular security 

^ means provided. Such means preferably comprise an enter- 
prise security adminisUrator (ESA) module which provides a 
base-line authentication and authorization of security func- 
tions such as centralized password management; access 
control to systems, access control to networks, and real-time 
security event monitoring and notifications. 

A file access control module (FAC) is provided, prefer- 
ably for the engine and administrative interfaces to authorize 
access and sharing of files. FAC preferably includes the 
capability to implement a trusted path from the users to the 

5Q intended file resources by way of restricting that access 
through specific applications. This trusted path is termed and 
access control path (ACP) and provides means for perform- 
ing a rule check function for file access by restricting access 
through a specific application program. In addition, all file 

55 access may be selectively audited and monitored centrally. 
FAC provides effective protections for sensitive data and 
critical applications residing on servers including web 
serves, file servers, and database servers. 

By using the security methodology of the present inven- 

60 tion with a file access module, a web server many set up 
secure access paths for CGI and Java scripts. All CGI scripts 
under directory, for example, /web/netscape .server/cgi* has 
access "only" to files under directory /web/db/* . Without the 
use of the present method, a web user may access the web 

65 server application and then have access to related files, 
databases and any other files on the server, not under the web 
application directory. The present method, however, allows 
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access lo be restricied in CGI and Java scripts lo just the web 
files and databases. 

Other nacxiules comprise an administrative privilege del- 
egation (APD) module which delegates a subset of admin- 
istrative powers of a Superuser account or other privileged 
user capabilities to specific administrative users without 
giving away full root power, nor disclosing the root pass- 
word. ADP provides a centralized configuration manage- 
ment of administrative/operator command privileges for an 
entire network. It also provides audit log of all privileged 
user activities throughout the network. 

An advance security monitor (ASM) module for audits 
and monitors of selective operation system events may be 
configured to audit an monitor selected activities based on 
users, processes, programs, and targeted files on designated 
systems. For example, ASM can be used to monitor all 
privileged access from Supcrusers and "setuid root" pro- 
grams and processes, or to monitor aU accesses to a sensitive 
file or program. 

A single sign-on (SSO) module may be utilized for 
providing a secured single user authentication and identifi- 
cation for multiple applications running across multiple 
platforms, for example Windows NT, UNIX, Novell and 
mainframe environments. SSO eliminates the need for a user 
to provide a different user identification and password when 
signing on to different applications and platforms. SSO also 
provides a solution to the problem of password spoofing on 
the network by eliminating tbe need to transmit passwords 
over the network. 

In operation and use tbe present methodology also pro- 
vides a unique method of default protection to enable 
corporate wide control over security. By implementing the 
present methodology a corporate security administrator does 
not have to explicitly define access policies for most of the 
users on an individual basis, but rather only by exception. 
This greatly simplifies the process of designing, 
implementing, and verifying security policies. The present 
method allows for enterprise- wide default protection at the 
system level, the network level, and at the file and directory 
level using the system call interception and command call 
interception techniques previously described. Furthermore, 
any new files or directories added to the system are protected 
by default, that is, there is no need to explicitly protect them. 
User are permitted to access to system resources owned only 
by themselves, including directories, files, scripts, and pro- 
grams under their home directory. Users are denied access to 
shared resources by default. However, systems using Supe- 
ruser access cannot provide automatic file and directory 
level default protection because any newly created file, 
program or directory is subject to Superuser attack and 
accordingly must be explicitly protected. 

The preferred methodology of tlje present invention also 
utilizes Role-based Access Control to simplify resource 
sharing. After implementing Least Privilege and Default 
Protection, users can be explicitly granted access to shared 
resources as defined by their job responsibilities. Both users 
and resources objects are preferably defined using '*user 
-roles", for example, engineering;. marketing; and finance, 
and "resource object roles", for example, all application 
programs used by the funds transfer department; all con- 
figuration files for processing credit card applications; and 
all machines in subnet 129.131. Access rules are preferably 
specified with roles such as "All bank managers can read 
configuration files for processing credit card applications", 
as opposed to rules specified by an individual user or 
resource. Instead of requiring a user to assign the same 
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authority to each user or resource in a group, the software of 
the present invention allows the same authority to be 
assigned to the group all at one. Such Role-basc methodol- 
ogy further simplifies the scope, cost, and management of 
access control. 

As is evident from the above description, the methodol- 
ogy of the present invention is an elegant, cost effective, and 
very reliable means to provide a security shield and security 
methodology for computer system software. Tbe present 
methodology adds increased security to existing computer 
systems and their operating systems, and is implemented 
without requiring changes to the software, cither source code 
or binary code of the underlying operating system. The 
present methodology is transparent to the users and does not 
require users to change their normal interaction with the 
computer system and the operating system. Moreover, the 
present methodology is simple to implement and manage 
and has a small operational overhead, is uniformly imple- 
mented for different and/or heterogeneous systems, and is 
extremely cfiBcient and reliable. 

Additional advantages and modification will readily occur 
to those skilled in the art. The invention in its broader 
aspects is, therefore, not limited to the specific details, 
represenuiive apparatus and illustrative examples shown 
and described. Accordingly, deparmres from such deuils 
may be made without departing from the spirit or scope of 
tbe applicant's general inventive concept 

What is claimed is: 

1. Computer software for a security implementation 
method for computer system software, said computer soft- 
ware being stored on a computer readable medium, said 
medium being executed on said computer system, compris- 
ing: 

means for system call interception for intercepting non- 
interactive commands, file access commands, program 
access requests, and network access commands firom a 
user of said computer system software; 

means for intercepting interactive commands from said 
user of said computer systems software; 

examination means for examining said non-interactive 
commands and said interactive commands from the 
user of said computer system software; 

means for performing a rule check functions of said 
non-interactive cotmnands and said interactive com- 
matxis from the user of said computer system software; 

means for implementing log in functions of said non- 
interactive and said interactive commands from the 
user of the computer system software; and, 

means for forwarding accepted said non-interactive 
commands, file access commands, program access 
requests, network access commands, and said interac- 
tive cormnands to the operating system of said com- 
puter system software. 

2. The computer software of claim 1, wherein said means 
for system call interception comprises a redirector means. 

3. The computer software of claim 1, wherein said means 
for intercepting interactive commands form said user of said 
computer system software comprises a redirector means. 

4. The computer software of claim 1. wherein a means for 
controlling access lo an interactive program in said com- 
puter system software comprises interactive command inter- 
ception means. 

5. The computer software of claim 1, wherein said method 
is utilized for internet software application protection by file 
access control means. 

6. A method for security shield implementation in com- 
puter system software for protection of the computer system 
software from unauthorized access by a user, comprising: 
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Step for control ling access to files of said computer system ing interactive commands via a command interception and 

software by redirector means for intercepting a non- returning a failed rule check command to said user 

interactive command request from a computer system 12. The method for security shield implementation in 

user prior to forwarding to an operating system computer system software for protection of the computer 
software, pciforming a rule check and a log event 5 system software from unauthorized access by a user of claim 

function using operating system call interception, wherein said redirector means for intercepting said 

returning a failed rule check to said computer system requests for said computer system user comprises redirect- 

user via open system call, and forwarding for continued -j^g interactive commands via a command interception and 

processing succeeded rule check requests to said oper- processing said interactive command if said users access is 
aling system; lO app^ved by passing said rule check. 

step for controlling access to interactive programs by 13. The method for security shield implementation in 

redirector means for intercepting an interactive com- computer system software for protection of the computer 

mand from a user and returning failed mle check system software from unauthorized access by a user of claim 

interactive commands to said user and 10 continue 6, wbe rein said step for controlling access to said interactive 

processing succeeded rule check interactive com- pj-Qgrams in said computer system software utilizes a small 

* maods; foot print of memory in said operadng system. 

forwarding accepted said interactive or said non- 14. The method for security shield implementation in 

interactive commands for processing by the operating computer system software for protection of the computer 

system software. system software from unauthorized access by a user of claim 

7. The method for security shield implementation in *° 6, wherein an access control list is stored in a user's 
computer system software for protection of the computer compulci systems memory. 

system software from unauthorized access by a user of claim 15. The method for security shield implementation in 

6, wherein said step for controlling access to files of said computer system software for protection of the computer 

computer system software comprises redireaing file "open" system software from unauthorized access by a user of claim 

system calls to said redirector means for examination and 6, wherein said step for controlling access to files of said 

processing. computer system software and said means for controlling 

8. The method for security shield implcmeolation in access to interactive programs in said computer system call 
computer system software for protection of the computer interception means and command interception means, 
system software from unauthorized access by a user of claim whereby a large number of files of said computer software 
6, wherein said step for controlling access to files of said system are protected. 

computer system software comprises redirecting file "exc" 16. The method for security shield implementation in 

system calls to said redirector means for examination and computer system software for protection of the computer 

processing. system software from unauthorized access by a user of claim 

9. The method for security shield implementation in 6, wherein said method is utilized in a UNIX operating 
computer system software for protection of the computer system. 

system software from unauthorized access by a user of claim 17. The method for security shield implementation in 

6, wherein said non-interactive command controls access to computer system software for protection of the computer 

said files of said computer system software. system software from unauthorized access by a user of claim 

10. The method for security shield implementation in 6, wherein said method is utilized to secure and protect 
computer system software for protection of the computer ^ webscripts file access control means. 

system software from unauthorized access by a user of claim 18. The method for security shield implementation in 

6, wherein said non-interactive command controls access to computer system software for protection of the computer 

a program of said computer system software. system software from unauthorized access by a user of claim 

11. The method for security shield implementation in 6, further including step for performing a rule check function 
computer system software for protection of the computer for file access by restricting access through a specific 
system software from unauthorized access by a user of claim application program. 

6, wherein said redirector means for intercepting said 

requests for said computer system user comprises redirect- ♦ ♦ ♦ ♦ ♦ 
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